Re: change keys in a ..._VARS.fd file programmatically (SecureBoot enabled)

[Laszlo Ersek <lersek@redhat.com>]

Hi,

On 02/05/18 15:14, Dmitry Mityugov wrote:
> Hi,
> 
> Could you please let me know if it possible to automate changing keys in a
> ..._VARS.fd when SecureBoot is enabled? I understand that I can go into the
> UEFI shell and change them there manually, but I'm looking for a way to
> add/replace/delete them from my program before a KVM VM is started.
> 
> I've found an email in this list with a similar question,
> https://lists.01.org/pipermail/edk2-devel/2017-August/012995.html , but I'm
> not sure if the answer is still valid, or if any new possibilities have
> arosen since then.

My (still valid) answer is here:

http://mid.mail-archive.com/550860A1.9030904@redhat.com

and here:

http://mid.mail-archive.com/56461E2D.1090601@redhat.com

and here:

http://mid.mail-archive.com/a1eedec9-f1c2-049d-8bb4-b094c9626f8e@redhat.com

> There are also some home-made editors for the vars, like
> http://git.annexia.org/?p=virt-efivars.git;a=summary . Should I go this way
> in my adventure?

I'm unsure how frequently Rich maintains this project (I'm CC'ing him),
but the approach in this project is generally workable, because it
modifies the variable store *from within* the guest (the "appliance" in
libguestfs lingo), using the UEFI runtime variable services.

Summary:
- if you try to modify the variable store file from the host side, with
  a custom utility that is independent of edk2, that's a bad idea.
- Whereas, if you modify the variable store from within the guest, via
  the UEFI variable services (calling them from the UEFI shell, or from
  the guest operating system / a privileged guest OS process), that's a
  good idea. (This is what "virt-efivars" does.)

Thanks,
Laszlo